Seeding a question that will help me in investigations later tonight:
I am seeing some bugs with RapidJSON, they might not be fixable unless we start using a more recent checkout of their code. There has not been a release since August 2016. Do we choose a commit to pin to that seems reasonable, or do we search for some other creative solution? If (b), what do your creative minds suggest?
10/17/2019, 6:32 PM
I would suggest filing issues for each on the rapidjson project against the release version. Might motivate them to issue another release. I am up for helping to fix some of them if not addressed by newer commits.
And of course, the filing of the issues helps educate others on vulns they may not be aware of
10/18/2019, 2:08 PM
I am not optimistic about motivating a new release. There are plenty of existing issues asking for a release and the maintainers are oddly absent from those questions/requests compared to all others.
I think opening issues on the osquery project is a good first-step as it assumes we made the mistake in how we use RapidJSON. It that turns out to not be the case and the issue is more pervasive then we can reference from a follow-up issue on RapidJSON's repo?